Security Structure  «Prev  Next»

Lesson 3Security standards
ObjectiveSecurity Standards currently being used

Security Standards currently being used

What are the security standards currently being used?
various security standards are widely used in the industry to ensure the protection of information, networks, and systems. Although the landscape of security standards constantly evolves to address new threats and challenges, the following security standards are commonly used:
  1. ISO/IEC 27001: This is an internationally recognized information security management standard, which provides a systematic approach to managing sensitive information by applying risk management processes and giving assurance to interested parties that appropriate security controls are in place.
  2. NIST Cybersecurity Framework: Developed by the National Institute of Standards and Technology (NIST) in the United States, this voluntary framework provides a set of guidelines and best practices for organizations to better manage and reduce cybersecurity risks.
  3. PCI-DSS: The Payment Card Industry Data Security Standard (PCI-DSS) is a comprehensive set of requirements for enhancing the security of payment card data. This standard is applicable to all entities involved in payment card processing, including merchants, processors, acquirers, and service providers.
  4. HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data in the United States. Organizations that handle protected health information (PHI) must adhere to HIPAA requirements to ensure the confidentiality, integrity, and availability of PHI.
  5. GDPR: The General Data Protection Regulation (GDPR) is a comprehensive data privacy regulation that applies to organizations operating within the European Union (EU) or handling the personal data of EU citizens. GDPR aims to harmonize data protection laws across the EU and ensure individuals' privacy rights.
  6. SOC 2: Service Organization Control (SOC) 2 is an auditing procedure that assesses a service provider's controls related to security, availability, processing integrity, confidentiality, and privacy. It is particularly relevant for technology and cloud computing service providers.
  7. FISMA: The Federal Information Security Management Act (FISMA) is a United States law that mandates the implementation of information security standards for federal agencies and their contractors. FISMA requirements are based on guidelines provided by NIST.
  8. CIS Critical Security Controls: The Center for Internet Security (CIS) Critical Security Controls is a prioritized set of actions designed to improve an organization's cybersecurity posture. These controls provide a roadmap for organizations to identify and mitigate common security vulnerabilities effectively.

Please note that since my knowledge was last updated in September 2021, there may have been changes or additions to these standards. It is essential to stay informed about the latest security standards, guidelines, and best practices to ensure the ongoing protection of information, networks, and systems.
What are the security standards currently being used?
In the quest for an effective security system, some basic services and standards are used. Security services as defined by ISO 7498-2 security architecture, are summarized in the MouseOver below.
These services will be examined in more detail in upcoming lessons. In the diagram below each of the violet rectangles is represented by a line of text below the diagram.

security-services
  1. The process of proving identity, authentication services ensure the authenticity of an entity during communication and/or transfer of data.
  2. Access control provides protection against the unauthorized use of system resources that may be accessible. This service relates to what resources a user or service may access on the system or network.
  3. Data confidentiality services protect data from unauthorized disclosure and passive threats.
  4. Data integrity services protect against active threats by verifying or maintaining the consistency of information.
  5. Repudiation is defined as the denial by one of the entities involved in a communication of having participated in all or part of the communication. Non-repudiation services provide for proof of origin and/or proof of delivery.
The process of proving identity, authentication services ensure the authenticity of an entity during communication and/or transfer of data.

Security Standards/ Security Services

Security mechanisms

The actual systems and software that provide the different security services are referred to by ISO as security mechanisms. These mechanisms are classified as either specific or pervasive. Specific mechanisms implement specific services. Encryption is a specific mechanism used for data confidentiality. Pervasive mechanisms are not related to a specific service. Examples of pervasive mechanisms include security labels and audit trails.

Government Security Standards

NSA and NIST jointly released a new series of standards called Trust Technology Assessment Program (TTAP). TTAP defines seven security levels beginning with Evaluation Assurance Level (EAL) 1 and continuing through EAL 7 (the most secure level). TTAP is still in its early development and shows promise of defining in industry-wide security standardization.
Click the link below to review the standards of security.
Security Standards Definitions